Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement: openssh (SuSE-SA:2001:045) (re-released SuSE-SA:2001:044)
  • From: Alex Levit <alex@xxxxxxxxxxx>
  • Date: Thu, 6 Dec 2001 14:13:08 -0800
  • Message-id: <200112062215.fB6MFgd30751@xxxxxxxxxxxxxxx>
Correct me if I am wrong.
Majority of users don't have to use old ssh protocol (v. 1).
And it can be disabled in /etc/ssh/sshd_config
Normally you would have a line in sshd_config Protocol 1,2
To disable ssh v. 1 protocol just remove 1 from that line.
save config file and restart sshd daemon.



On Thursday 06 December 2001 13:01, you wrote:
> ___________________________________________________________________________
>___
>
> SuSE Security Announcement
>
> Package: openssh
> Announcement-ID: SuSE-SA:2001:045
> Date: Thursday, Dec 6th 2001 21:30 MET
> Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
> Vulnerability Type: local privilege escalation
> Severity (1-10): 5
> SuSE default package: yes
> Other affected systems: systems running openssh
>
> Content of this advisory:
> 1) security vulnerability resolved: openssh
> problem description, discussion, solution and upgrade
> information 2) pending vulnerabilities, solutions, workarounds
> 3) standard appendix (further information)
>
> ___________________________________________________________________________
>___
>
> 1) Re-release of SuSE Security Announcement SuSE-SA:2001:044, brief
> history, Clarification, new problem fixed, upgrade information.
>
> This is a re-release of the SuSE Security Announcement
> SuSE-SA:2001:044, adding another bugfix for the openssh package as well as
> more detailed information about the vulnerabilities to prevent
> misunderstandings.
>
> The currently supported SuSE distributions 6.4 and newer come with two
> implementations of the secure shell protocol: The package names are
> "ssh" and "openssh".
>
>
> Brief history:
> In 1998, a vulnerability of the secure shell protocol in version 1 has
> been discovered and named "crc32 compensation attack". The
> vulnerability allows an attacker to insert arbitrary sequences into the
> ssh-1 protocol layer. At that time, an added patch fixed the problem in the
> ssh implementation (visible in the client-side verbose output of the ssh
> command (-v): "Installing crc compensation attack detector."). In early
> 2001, Michal Zalewski discovered that the widely used patch was defective
> and opened another security hole which is being actively exploited today.
> SuSE Security announcement SuSE-SA:2001:004, published February 16th 2001,
> available at *[1], addresses this defective patch, among other issues.
>
> Clarification/Apology:
> Our last openssh security announcement SuSE-SA:2001:044 (*[3]) may
> falsely lead to assume that the openssh-2.9.9p2 update packages on our ftp
> server fix the vulnerabilities known as crc32 compensation attack. This is
> incorrect since the openssh-2.3.0 packages released with SuSE Security
> announcement SuSE-SA:2000:047 in November 2000, available at *[2], already
> fixed the mentioned (among other) problems. The release of the
> openssh-2.9.9p2 update packages obsoletes the openssh-2.3.0 update
> packages.
> We explicitly regret the used wording and apologize to the openssh
> development team, in particular Markus Friedl and Theo De Raadt, and
> thank them for their excellent work on the project.
>
> Scanning utilities that can be found on the internet connect to port 22
> of a server and read the version string. It should be noted that the
> bare knowlege of the secure shell protocol version string does not allow to
> determine whether a running secure shell daemon is actually vulnerable to
> the defective fix for the crc32 compensation attack.
> SuSE security receive dozens of requests about statements if the
> daemons in use are vulnerable or not. Please see reference *[1].
>
>
> New problem fixed:
> This re-release of SuSE Security Announcement SuSE-SA:2001:044 (please
> see reference *[3] below) adds another patch to the openssh-2.9.9p2
> packages: A bug allows a local attacker on the server to specify
> environment variables that can influence the login process if the
> "UseLogin" configuration option on the server side is set to "yes".
> If exploited, the local attacker on the secure shell server can execute
> arbitrary commands as root.
> In the default configuration of the package, the UseLogin option is set
> to "no", which means that the administrator of the server must have set
> the option to "yes" manually before the bug can be exploited.
>
> Users who upgraded their SuSE openssh package before December 6th 2001
> should upgrade their package again. Use the command "rpm -q openssh"
> to see which version/release of the package you have installed, and
> compare this version with the one as listed below.
>
>
> Upgrade information:
> You can find out which implementation of the ssh protocol you are using
> with the command "rpm -qf /usr/bin/ssh".
> If you use the ssh-1.2.* package, please read Reference *[1].
> If you use the openssh-* package, please download the rpm package for
> your distribution from the URL list below, verify its integrity using
> the methods as described in section 3) of this security announcement
> and install the package using the command
>
> rpm -Uhv file.rpm
>
> where file.rpm is the filename of the package that you have downloaded.
>
> References:
> *[1]: http://www.suse.de/de/support/security/adv004_ssh.txt
> *[2]: http://www.suse.de/de/support/security/2000_047_openssh_txt.txt
> *[3]: http://www.suse.de/de/support/security/2001_044_openssh_txt.txt
>
>
> SPECIAL INSTALL INSTRUCTIONS:
> The sshd secure shell daemon on the server side has to be restarted for
> the new package to become active. If you are logged on on the console,
> the simple command "rcsshd restart" should do this for you.
> If you are logged on via secure shell, you should make sure that you
> do not terminate the connections that are established through the
> running secure shell daemon/its children. In this case, kill the daemon
> after package installation using the command
> kill -TERM `cat /var/run/sshd.pid`
> and then restart the daemon with the command
> /usr/sbin/sshd
> as root.
>
> Then, verify that the login procedure works as before. One of the main
> changes in the new openssh package is that the file
> $HOME/.ssh/authorized_keys2 is only read by the server if the file
> $HOME/.ssh/authorized_keys does not exist and if protocol version 2 is
> being used. The file $HOME/.ssh/authorized_keys2 can be removed after
> its contents have been added to $HOME/.ssh/authorized_keys.
> The two configuration files /etc/ssh/sshd_config (server side) and
> /etc/ssh/ssh_config (client side) contained in the openssh package
> do not get overwritten upon installation or upgrade, if you have
> changed them manually. Instead, the new configuration files are written
> with a .rpmnew suffix. The defaults as provided in the SuSE package make an
> effort to establish both convenience as well as security.
>
>
>
> NOTE: Packages for SuSE Linux distributions 7.0 and older containing
> cryptographic software are located on our German ftp server ftp.suse.de
> for legal reasons. Packages for all other distributions (7.1 and newer)
> can be found at their regular path at ftp.suse.com.
>
>
>
> i386 Intel Platform:
> SuSE-7.3
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-74.i386.rp
>m f3d60cce6d62dbf79c36a849811c19d7
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-74.src.rpm
> 4246e40b1e5a7b4456f2bb4c05177126
>
> SuSE-7.2
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-74.i386.rp
>m 3764a15b17b0823c6fa2e8e4aee5af69
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-74.src.rpm
> e9cccadf767cb80e3c588266d6886153
>
> SuSE-7.1
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-73.i386.rp
>m 4dbcdb2a544cadd36749baea890bc38e
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-73.src.rpm
> 04400597a1b9526bc78344e8e523fa40
>
> SuSE-7.0
>
> ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-73.i386.rpm
> 29dcc882bf30cbe88c94b07bb84e7216
> source rpm:
>
> ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-73.src.rpm
> b852431e4711d7f45a8bd180532325b0
>
> SuSE-6.4
>
> ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-73.i386.rpm
> 8cfe1e9d2dd964851acb42e1e13311b9
> source rpm:
>
> ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-73.src.rpm
> a3686e39258d03c99fc2ba3573325c2a
>
>
>
> Sparc Platform:
> SuSE-7.3
>
> ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-24.sparc.
>rpm 32d3a1c735d2c27cb580fedeeed3a135
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-24.src.rpm
> 82540b2297b2d03d45118b3c23a72bf8
>
> SuSE-7.1
> The update packages for the SuSE Linux 7.1 Sparc distributions are not
> available yet. The package can soon be found at
> ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh.rpm
>
> SuSE-7.0
>
> ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-24.sparc.r
>pm 638891762f09e01b83e9c39c184ce9ea
> source rpm:
>
> ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-24.src.rpm
> ad3520ad8907c585f84facb742fc03bf
>
>
>
>
> AXP Alpha Platform:
> SuSE-7.1
>
> ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-26.alpha.rp
>m 04e815054c9bc3a1b0a1ddda8c6e2d10
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
> 32c39e29517fc8269f252f7cc6f18bce
>
> The update packages for the SuSE Linux AXP/Alpha distributions before
> SuSE-7.1 are not available on our ftp server yet. These packages can be
> found at the usual location in the update paths on ftp.suse.de.
>
>
>
>
> PPC Power PC Platform:
> SuSE-7.3
>
> ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-49.ppc.rpm
> 4b056c828675898bf482e9ecb4f91a0b
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-49.src.rpm
> e10ed49e7319c244caf324a64f16c738
>
> SuSE-7.1
>
> ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-49.ppc.rpm
> 163126a80ff0167b34c041348ef5c3c4
> source rpm:
>
> ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-49.src.rpm
> 948862c53dc62e921b03766c986a4de2
>
> SuSE-7.0
>
> ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-48.ppc.rpm
> aff3785ac9670daa0e06445ad9b5a2b9
> source rpm:
>
> ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-48.src.rpm
> ccfb132470cb61b52688fc12f1352b12
>
> SuSE-6.4
>
> ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-48.ppc.rpm
> ae20b7379474735126636aed05f6eeee
> source rpm:
>
> ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-48.src.rpm
> 2351d7667c02a1ad33e21bd39196cf0a
>
> ___________________________________________________________________________
>___
>
> 2) Pending vulnerabilities in SuSE Distributions and Workarounds:
>
> - We are currently testing kernel update packages for the recently
> found local security flaw in the ELF binary loader in the Linux
> kernel of all v2.4 versions and expect to be able to announce these
> update rpm packages soon with a re-release of our kernel security
> announcement.
>
> ___________________________________________________________________________
>___
>
> 3) standard appendix: authenticity verification, additional information
>
> - Package authenticity verification:
>
> SuSE update packages are available on many mirror ftp servers all over
> the world. While this service is being considered valuable and
> important to the free and open source software community, many users wish
> to be sure about the origin of the package and its content before
> installing the package. There are two verification methods that can be used
> independently from each other to prove the authenticity of a downloaded
> file or rpm package:
> 1) md5sums as provided in the (cryptographically signed) announcement.
> 2) using the internal gpg signatures of the rpm package.
>
> 1) execute the command
> md5sum <name-of-the-file.rpm>
> after you downloaded the file from a SuSE ftp server or its mirrors.
> Then, compare the resulting md5sum with the one that is listed in
> the announcement. Since the announcement containing the checksums is
> cryptographically signed (usually using the key security@xxxxxxx), the
> checksums show proof of the authenticity of the package. We disrecommend to
> subscribe to security lists which cause the email message containing the
> announcement to be modified so that the signature does not match after
> transport through the mailing list software.
> Downsides: You must be able to verify the authenticity of the
> announcement in the first place. If RPM packages are being rebuilt
> and a new version of a package is published on the ftp server, all
> md5 sums for the files are useless.
>
> 2) rpm package signatures provide an easy way to verify the
> authenticity of an rpm package. Use the command
> rpm -v --checksig <file.rpm>
> to verify the signature of the package, where <file.rpm> is the
> filename of the rpm package that you have downloaded. Of course,
> package authenticity verification can only target an uninstalled rpm
> package file.
> Prerequisites:
> a) gpg is installed
> b) The package is signed using a certain key. The public part of
> this key must be installed by the gpg program in the directory ~/.gnupg/
> under the user's home directory who performs the signature verification
> (usually root). You can import the key that is used by SuSE in rpm packages
> for SuSE Linux by saving this announcement to a file ("announcement.txt")
> and
> running the command (do "su -" to be root):
> gpg --batch; gpg < announcement.txt | gpg --import
> SuSE Linux distributions version 7.1 and thereafter install the
> key "build@xxxxxxx" upon installation or upgrade, provided that
> the package gpg is installed. The file containing the public key
> is placed at the toplevel directory of the first CD
> (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
> .
>
>
> - SuSE runs two security mailing lists to which any interested party may
> subscribe:
>
> suse-security@xxxxxxxx
> - general/linux/SuSE security discussion.
> All SuSE security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-subscribe@xxxxxxxx>.
>
> suse-security-announce@xxxxxxxx
> - SuSE's announce-only mailing list.
> Only SuSE's security annoucements are sent to this list.
> To subscribe, send an email to
> <suse-security-announce-subscribe@xxxxxxxx>.
>
> For general information or the frequently asked questions (faq)
> send mail to:
> <suse-security-info@xxxxxxxx> or
> <suse-security-faq@xxxxxxxx> respectively.
>
> =====================================================================
> SuSE's security contact is <security@xxxxxxxx> or <security@xxxxxxx>.
> The <security@xxxxxxx> public key is listed below.
> =====================================================================
> ___________________________________________________________________________
>___
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In particular,
> it is desired that the cleartext signature shows proof of the
> authenticity of the text.
> SuSE GmbH makes no warranties of any kind whatsoever with respect
> to the information contained in this security advisory.
>
> Type Bits/KeyID Date User ID
> pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@xxxxxxx>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
> BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
> JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
> 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
> P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
> cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
> VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
> yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
> tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
> xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
> Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
> choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
> BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
> v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
> x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
> Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
> MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
> saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
> L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
> nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
> sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
> ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
> epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
> sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
> Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
> mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
> wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
> U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
> Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
> NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
> XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
> r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
> /xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
> JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
> lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
> nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
> Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
> ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
> VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
> Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
> 89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
> XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
> +JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
> EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
> dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
> J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
> KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
> C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
> CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
> mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
> =rVRn
> -----END PGP PUBLIC KEY BLOCK-----

< Previous Next >
Follow Ups
References